Skip to content

Update Policy Library #315

Update Policy Library

Update Policy Library #315

Workflow file for this run

---
name: Update Policy Library
on:
schedule:
- cron: '0 8 * * 1-5'
workflow_dispatch: {}
env:
remote_repository: "Azure/Enterprise-Scale"
branch_name: "patch-policy-library"
az_accounts_minimum_version: "2.2.3"
pr_title: "feat: Update Policy Library (automated)"
pr_body: "This is an automated 'pull_request' containing updates to the library templates stored in '/infra-as-code/bicep/modules/policy/definitions/lib' & '/infra-as-code/bicep/modules/policy/assignments/lib'.\nPlease review the 'files changed' tab to review changes."
permissions:
contents: read
jobs:
update-templates:
name: Update Policy Library
if: github.repository == 'Azure/ALZ-Bicep'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Local repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ${{ github.repository }}
fetch-depth: 0
- name: Remote repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ env.remote_repository }}
path: ${{ env.remote_repository }}
ref: main
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Configure local git
run: |
git config user.name github-actions
git config user.email [email protected]
working-directory: ${{ github.repository }}
- name: Create and checkout branch
run: |
BRANCH_URL="repos/${{ github.repository }}/branches"
JQ_FILTER=".[] | select(.name == \"${{ env.branch_name }}\").name"
CHECK_BRANCH_ORIGIN=$(gh api $BRANCH_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_BRANCH_ORIGIN" ]
then
echo "Checkout local branch (create new, no origin)..."
git checkout -b ${{ env.branch_name }}
else
echo "Checkout local branch (create new, track from origin)..."
git checkout -b ${{ env.branch_name }} --track origin/${{ env.branch_name }}
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: Update Policy Library
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
Write-Information "==> Running script..." -InformationAction Continue
${{ github.repository }}/.github/scripts/Invoke-LibraryUpdate.ps1 `
-AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
-TargetPath ${{ github.workspace }}/${{ github.repository }} `
-SourcePath ${{ github.workspace }}/${{ env.remote_repository }} `
-Reset
azPSVersion: "latest"
- name: Install ALZ PowerShell Module
shell: pwsh
run: |
Install-Module -Name 'ALZ' -Force
- name: Update Policy Definition Bicep Input Files
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
cd ${{ github.workspace }}/${{ github.repository }}
Write-Information "==> Running script..." -InformationAction Continue
.github/scripts/Invoke-PolicyToBicep.ps1
azPSVersion: "latest"
- name: Check for changes
id: git_status
run: |
CHECK_GIT_STATUS=($(git status -s))
git status -s
echo "changes=${#CHECK_GIT_STATUS[@]}" >> $GITHUB_OUTPUT
working-directory: ${{ github.repository }}
- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add infra-as-code/bicep/modules/policy/definitions/lib
git add infra-as-code/bicep/modules/policy/assignments/lib
git config --global core.autocrlf input
git commit -m '${{ env.pr_title }}'
git push origin ${{ env.branch_name }}
working-directory: ${{ github.repository }}
- name: Create pull request
if: steps.git_status.outputs.changes > 0
run: |
HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_PULL_REQUEST_URL" ]
then
CHECK_PULL_REQUEST_URL=$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ env.branch_name }}" \
--draft)
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
else
echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}